Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Fool ReCAPTCHA With Google's Own Speech-To-Text Service (vice.com)

Posted by BeauHD on from the add-insult-to-injury dept.

Researchers at the University of Maryland have managed to trick Google's reCaptcha system by using Google's own speech-to-text service. "[The researchers] claim that their CAPTCHA-fooling method, unCaptcha, can fool Google's reCaptcha, one of the most popular CAPTCHA systems currently used by hundreds of thousands of websites, with a 90 percent success rate," reports Motherboard. From the report: The researchers originally developed UnCaptcha in 2017, which uses Google's own free speech-to-text service to trick the system into thinking a robot is a human. It's an oroborus of bots: According to their paper, UnCaptcha downloads the audio captcha, segments the audio into individual digit audio clips, uploads the segments to multiple other speech-to-text services (including Google's), then converts these services' responses to digits. After a little homophone guesswork, it then decides which speech-to-text output is closest to accurate, and uploads the answer to the CAPTCHA field. This old method returned an 85% success rate.

After the release of that version of unCaptcha, Google fixed some of the loopholes that made it work, including better browser automation detection and switching to spoken phrases, rather than digits. The researchers claim that their new method, updated in June, gets around these improvements and is even more accurate than before, at 90 percent. "We have been in contact with the ReCaptcha team for over six months and they are fully aware of this attack," the researchers write. "The team has allowed us to release the code, despite its current success."

11 of 31 comments (clear)

  1. Is there any way to make it play itself? by Etcetera · · Score: 1

    "Yes. Number of players: zero"

    Suspenseful music begins

    --
    Hire a Linux system administrator, systems engineer,
  2. So what? by Iwastheone · · Score: 1

    People who sit at a keyboard all day learn the internet has backdoors. No sympathy from others who work hard for a living.

  3. Mongo only pawn in cave of life by Anonymous Coward · · Score: 1

    Mongo upset at neo-trogs with keyboards, how make fire? Mystery anger! Must smash cave-diploma, but cannot find! Mongo know, will whine online somehow anyway. Cave irony... Mongo no sympathy, Mongo sad about Mongo.

    Sad cave.

  4. Fermi's Great Filter. by AndyKron · · Score: 1

    Digital technology will turn out to be Fermi's Great Filter. Wait for it.

  5. Success rate by techdolphin · · Score: 2

    I thiink ReCAPTCHA's success rate of 90 percent is better than mine on some CAPTCHAs.

    1. Re:Success rate by meerling · · Score: 1

      I have to agree, and some of my family are worse than I am.

      So what I want to know is when they'll make their tool available to us regular humans (or reasonable facsimiles thereof )

  6. A bit late? by LordKronos · · Score: 1

    Aren't they a bit late in this hack? Just a few months ago we had this story about how google is redesigning the recaptcha to not even require user interaction anymore:
    https://tech.slashdot.org/stor...

    So it sounds like they are hacking an old version that is already in the process of being retired.

  7. Blind and deaf defeat ReCaptcha! by Gravis+Zero · · Score: 1

    The real issue is that audio of a CAPTCHA (for blind accessibility) defeats the CAPTCHA. The second part is speech-to-text (for deaf accessibility) brings it full circle. What they really need is a true audio version of CAPTCHA that speech-to-text is likely to flub.

    --
    Anons need not reply. Questions end with a question mark.
  8. Omnipotence Paradox by Ichijo · · Score: 1

    Can Google design a CAPTCHA that's too difficult for their text-to-speech to read?

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    1. Re:Omnipotence Paradox by Kjella · · Score: 1

      Can Google design a CAPTCHA that's too difficult for their text-to-speech to read?

      Google isn't reading its own CAPTCHA, they generate it and offer a speech version for accessibility to the visually impaired. It's not very difficult to create some horribly mangled text though, the problem is creating one that untrained, average humans can solve but computers don't. CloudFlare at some point went overboard on this, resulting in CAPTCHAs that were near impossible for a human to reliably read. And bots don't care if they have a mediocre success rate, for humans it's extremely frustrating to try multiple attempts to succeed. Sometimes even the definitions become a problem, like Google sometimes ask me to flag sections with traffic lights. Do they mean lights as in where I can actually see a lit red/yellow/green light, the front face, the back face and the pole or that light a block down that's 2 pixels wide? I'm just guessing until they're happy.

      --
      Live today, because you never know what tomorrow brings
  9. Re: Google being in too many places by astrofurter · · Score: 2

    It's time for President Trump to get out his trust-busting stick. Break up Alphabet!

    Android - separate company
    Chrome - separate company
    YouTube - separate company
    Gmail - separate company
    Search - separate company
    Advertising - separate company
    Maps - separate company

    Break up Alphabet now! Stop Google before it's too late!